Rename PO Device IDs access -> Org Owned device
Repurpose the "Profile Owner was granted access to device identifiers"
to "Profile Owner of an Organization-owned device".
The old method now throws an exception, as it should not be called by
anything other than ManagedProvisioning (which is changed in this topic).
The new method now provides the functionality the old method provided,
and there's a new permission associated with it.
No functionality has been added or removed in this CL beyond that.
Bug: 138709470
Test: atest FrameworksServicesTests:DevicePolicyManagerTest
Test: atest com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testDeviceIdAttestationForProfileOwner
Change-Id: I9914e8220213898d0c6b3499af8897e3a6f23819
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index ea987c0..b033492 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -8009,7 +8009,7 @@
private boolean canProfileOwnerAccessDeviceIds(int userId) {
synchronized (getLockObject()) {
- return mOwners.canProfileOwnerAccessDeviceIds(userId);
+ return mOwners.isProfileOwnerOfOrganizationOwnedDevice(userId);
}
}
@@ -12661,14 +12661,14 @@
return false;
}
- private boolean hasGrantProfileOwnerDevcieIdAccessPermission() {
+ private boolean hasMarkProfileOwnerOnOrganizationOwnedDevicePermission() {
return mContext.checkCallingPermission(
- android.Manifest.permission.GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS)
+ permission.MARK_DEVICE_ORGANIZATION_OWNED)
== PackageManager.PERMISSION_GRANTED;
}
@Override
- public void grantDeviceIdsAccessToProfileOwner(ComponentName who, int userId) {
+ public void markProfileOwnerOnOrganizationOwnedDevice(ComponentName who, int userId) {
// As the caller is the system, it must specify the component name of the profile owner
// as a sanity / safety check.
Preconditions.checkNotNull(who);
@@ -12677,16 +12677,24 @@
return;
}
- // Only privileged system apps can grant the Profile Owner access to Device IDs.
- if (!(isCallerWithSystemUid() || isAdb()
- || hasGrantProfileOwnerDevcieIdAccessPermission())) {
+ // Only adb or system apps with the right permission can mark a profile owner on
+ // organization-owned device.
+ if (!(isAdb() || hasMarkProfileOwnerOnOrganizationOwnedDevicePermission())) {
throw new SecurityException(
- "Only the system can grant Device IDs access for a profile owner.");
+ "Only the system can mark a profile owner of organization-owned device.");
}
- if (isAdb() && hasIncompatibleAccountsOrNonAdbNoLock(userId, who)) {
- throw new SecurityException(
- "Can only be called from ADB if the device has no accounts.");
+ if (isAdb()) {
+ if (hasIncompatibleAccountsOrNonAdbNoLock(userId, who)) {
+ throw new SecurityException(
+ "Can only be called from ADB if the device has no accounts.");
+ }
+ } else {
+ if (hasUserSetupCompleted(UserHandle.USER_SYSTEM)) {
+ throw new IllegalStateException(
+ "Cannot mark profile owner as managing an organization-owned device after"
+ + " set-up");
+ }
}
// Grant access under lock.
@@ -12699,8 +12707,9 @@
who.flattenToString(), userId));
}
- Slog.i(LOG_TAG, String.format("Granting Device ID access to %s, for user %d",
- who.flattenToString(), userId));
+ Slog.i(LOG_TAG, String.format(
+ "Marking %s as profile owner on organization-owned device for user %d",
+ who.flattenToString(), userId));
// First, set restriction on removing the profile.
final long ident = mInjector.binderClearCallingIdentity();
@@ -12720,9 +12729,9 @@
mInjector.binderRestoreCallingIdentity(ident);
}
- // setProfileOwnerCanAccessDeviceIds will trigger writing of the profile owner
+ // markProfileOwnerOfOrganizationOwnedDevice will trigger writing of the profile owner
// data, no need to do it manually.
- mOwners.setProfileOwnerCanAccessDeviceIds(userId);
+ mOwners.markProfileOwnerOfOrganizationOwnedDevice(userId);
}
}
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/Owners.java b/services/devicepolicy/java/com/android/server/devicepolicy/Owners.java
index 65bf86f..f70fe90 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/Owners.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/Owners.java
@@ -101,7 +101,12 @@
private static final String ATTR_USER_RESTRICTIONS_MIGRATED = "userRestrictionsMigrated";
private static final String ATTR_FREEZE_RECORD_START = "start";
private static final String ATTR_FREEZE_RECORD_END = "end";
+ // Legacy attribute, its presence would mean the profile owner associated with it is
+ // managing a profile on an organization-owned device.
private static final String ATTR_CAN_ACCESS_DEVICE_IDS = "canAccessDeviceIds";
+ // New attribute for profile owner of organization-owned device.
+ private static final String ATTR_PROFILE_OWNER_OF_ORG_OWNED_DEVICE =
+ "isPoOrganizationOwnedDevice";
private final UserManager mUserManager;
private final UserManagerInternal mUserManagerInternal;
@@ -286,7 +291,7 @@
// semantically compatible with the meaning of this flag.
mDeviceOwner = new OwnerInfo(ownerName, admin, userRestrictionsMigrated,
/* remoteBugreportUri =*/ null, /* remoteBugreportHash =*/
- null, /* canAccessDeviceIds =*/true);
+ null, /* isOrganizationOwnedDevice =*/true);
mDeviceOwnerUserId = userId;
mUserManagerInternal.setDeviceManaged(true);
@@ -313,7 +318,7 @@
// For a newly set PO, there's no need for migration.
mProfileOwners.put(userId, new OwnerInfo(ownerName, admin,
/* userRestrictionsMigrated =*/ true, /* remoteBugreportUri =*/ null,
- /* remoteBugreportHash =*/ null, /* canAccessDeviceIds =*/ false));
+ /* remoteBugreportHash =*/ null, /* isOrganizationOwnedDevice =*/ false));
mUserManagerInternal.setUserManaged(userId, true);
pushToPackageManagerLocked();
pushToAppOpsLocked();
@@ -334,8 +339,8 @@
final OwnerInfo ownerInfo = mProfileOwners.get(userId);
final OwnerInfo newOwnerInfo = new OwnerInfo(target.getPackageName(), target,
ownerInfo.userRestrictionsMigrated, ownerInfo.remoteBugreportUri,
- ownerInfo.remoteBugreportHash, /* canAccessDeviceIds =*/
- ownerInfo.canAccessDeviceIds);
+ ownerInfo.remoteBugreportHash, /* isOrganizationOwnedDevice =*/
+ ownerInfo.isOrganizationOwnedDevice);
mProfileOwners.put(userId, newOwnerInfo);
pushToPackageManagerLocked();
pushToAppOpsLocked();
@@ -348,8 +353,8 @@
// See DevicePolicyManagerService#getDeviceOwnerName
mDeviceOwner = new OwnerInfo(null, target,
mDeviceOwner.userRestrictionsMigrated, mDeviceOwner.remoteBugreportUri,
- mDeviceOwner.remoteBugreportHash, /* canAccessDeviceIds =*/
- mDeviceOwner.canAccessDeviceIds);
+ mDeviceOwner.remoteBugreportHash, /* isOrganizationOwnedDevice =*/
+ mDeviceOwner.isOrganizationOwnedDevice);
pushToPackageManagerLocked();
pushToActivityTaskManagerLocked();
pushToAppOpsLocked();
@@ -378,13 +383,13 @@
}
/**
- * Returns true if {@code userId} has a profile owner and that profile owner was granted
- * the ability to access device identifiers.
+ * Returns true if {@code userId} has a profile owner and that profile owner is on an
+ * organization-owned device, as indicated by the provisioning flow.
*/
- boolean canProfileOwnerAccessDeviceIds(int userId) {
+ boolean isProfileOwnerOfOrganizationOwnedDevice(int userId) {
synchronized (mLock) {
OwnerInfo profileOwner = mProfileOwners.get(userId);
- return profileOwner != null ? profileOwner.canAccessDeviceIds : false;
+ return profileOwner != null ? profileOwner.isOrganizationOwnedDevice : false;
}
}
@@ -523,15 +528,16 @@
}
}
- /** Sets the grant to access device IDs, and also writes to file. */
- void setProfileOwnerCanAccessDeviceIds(int userId) {
+ /** Sets the indicator that the profile owner manages an organization-owned device,
+ * then write to file. */
+ void markProfileOwnerOfOrganizationOwnedDevice(int userId) {
synchronized (mLock) {
OwnerInfo profileOwner = mProfileOwners.get(userId);
if (profileOwner != null) {
- profileOwner.canAccessDeviceIds = true;
+ profileOwner.isOrganizationOwnedDevice = true;
} else {
Slog.e(TAG, String.format(
- "Cannot grant Device IDs access for user %d, no profile owner.", userId));
+ "No profile owner for user %d to set as org-owned.", userId));
}
writeProfileOwner(userId);
}
@@ -558,7 +564,7 @@
String packageName = parser.getAttributeValue(null, ATTR_PACKAGE);
mDeviceOwner = new OwnerInfo(name, packageName,
/* userRestrictionsMigrated =*/ false, /* remoteBugreportUri =*/ null,
- /* remoteBugreportHash =*/ null, /* canAccessDeviceIds =*/ true);
+ /* remoteBugreportHash =*/ null, /* isOrganizationOwnedDevice =*/ true);
mDeviceOwnerUserId = UserHandle.USER_SYSTEM;
} else if (tag.equals(TAG_DEVICE_INITIALIZER)) {
// Deprecated tag
@@ -575,7 +581,7 @@
if (admin != null) {
profileOwnerInfo = new OwnerInfo(profileOwnerName, admin,
/* userRestrictionsMigrated =*/ false, null,
- null, /* canAccessDeviceIds =*/ false);
+ null, /* isOrganizationOwnedDevice =*/ false);
} else {
// This shouldn't happen but switch from package name -> component name
// might have written bad device owner files. b/17652534
@@ -587,7 +593,7 @@
profileOwnerInfo = new OwnerInfo(profileOwnerName, profileOwnerPackageName,
/* userRestrictionsMigrated =*/ false,
/* remoteBugreportUri =*/ null, /* remoteBugreportHash =*/
- null, /* canAccessDeviceIds =*/ false);
+ null, /* isOrganizationOwnedDevice =*/ false);
}
mProfileOwners.put(userId, profileOwnerInfo);
} else if (TAG_SYSTEM_UPDATE_POLICY.equals(tag)) {
@@ -947,28 +953,30 @@
public boolean userRestrictionsMigrated;
public String remoteBugreportUri;
public String remoteBugreportHash;
- public boolean canAccessDeviceIds;
+ public boolean isOrganizationOwnedDevice;
public OwnerInfo(String name, String packageName, boolean userRestrictionsMigrated,
- String remoteBugreportUri, String remoteBugreportHash, boolean canAccessDeviceIds) {
+ String remoteBugreportUri, String remoteBugreportHash,
+ boolean isOrganizationOwnedDevice) {
this.name = name;
this.packageName = packageName;
this.admin = new ComponentName(packageName, "");
this.userRestrictionsMigrated = userRestrictionsMigrated;
this.remoteBugreportUri = remoteBugreportUri;
this.remoteBugreportHash = remoteBugreportHash;
- this.canAccessDeviceIds = canAccessDeviceIds;
+ this.isOrganizationOwnedDevice = isOrganizationOwnedDevice;
}
public OwnerInfo(String name, ComponentName admin, boolean userRestrictionsMigrated,
- String remoteBugreportUri, String remoteBugreportHash, boolean canAccessDeviceIds) {
+ String remoteBugreportUri, String remoteBugreportHash,
+ boolean isOrganizationOwnedDevice) {
this.name = name;
this.admin = admin;
this.packageName = admin.getPackageName();
this.userRestrictionsMigrated = userRestrictionsMigrated;
this.remoteBugreportUri = remoteBugreportUri;
this.remoteBugreportHash = remoteBugreportHash;
- this.canAccessDeviceIds = canAccessDeviceIds;
+ this.isOrganizationOwnedDevice = isOrganizationOwnedDevice;
}
public void writeToXml(XmlSerializer out, String tag) throws IOException {
@@ -988,9 +996,9 @@
if (remoteBugreportHash != null) {
out.attribute(null, ATTR_REMOTE_BUGREPORT_HASH, remoteBugreportHash);
}
- if (canAccessDeviceIds) {
- out.attribute(null, ATTR_CAN_ACCESS_DEVICE_IDS,
- String.valueOf(canAccessDeviceIds));
+ if (isOrganizationOwnedDevice) {
+ out.attribute(null, ATTR_PROFILE_OWNER_OF_ORG_OWNED_DEVICE,
+ String.valueOf(isOrganizationOwnedDevice));
}
out.endTag(null, tag);
}
@@ -1012,13 +1020,17 @@
parser.getAttributeValue(null, ATTR_CAN_ACCESS_DEVICE_IDS);
final boolean canAccessDeviceIds =
("true".equals(canAccessDeviceIdsStr));
+ final String isOrgOwnedDeviceStr =
+ parser.getAttributeValue(null, ATTR_PROFILE_OWNER_OF_ORG_OWNED_DEVICE);
+ final boolean isOrgOwnedDevice =
+ ("true".equals(isOrgOwnedDeviceStr)) | canAccessDeviceIds;
// Has component name? If so, return [name, component]
if (componentName != null) {
final ComponentName admin = ComponentName.unflattenFromString(componentName);
if (admin != null) {
return new OwnerInfo(name, admin, userRestrictionsMigrated,
- remoteBugreportUri, remoteBugreportHash, canAccessDeviceIds);
+ remoteBugreportUri, remoteBugreportHash, isOrgOwnedDevice);
} else {
// This shouldn't happen but switch from package name -> component name
// might have written bad device owner files. b/17652534
@@ -1029,14 +1041,14 @@
// Else, build with [name, package]
return new OwnerInfo(name, packageName, userRestrictionsMigrated, remoteBugreportUri,
- remoteBugreportHash, canAccessDeviceIds);
+ remoteBugreportHash, isOrgOwnedDevice);
}
public void dump(IndentingPrintWriter pw) {
pw.println("admin=" + admin);
pw.println("name=" + name);
pw.println("package=" + packageName);
- pw.println("canAccessDeviceIds=" + canAccessDeviceIds);
+ pw.println("isOrganizationOwnedDevice=" + isOrganizationOwnedDevice);
}
}
diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
index eef77ee..ed55aeb 100644
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
@@ -5143,7 +5143,7 @@
configureContextForAccess(mContext, false);
assertExpectException(SecurityException.class, /* messageRegex= */ null,
- () -> dpm.setProfileOwnerCanAccessDeviceIds(admin2));
+ () -> dpm.markProfileOwnerOnOrganizationOwnedDevice(admin2));
}
public void testGrantDeviceIdsAccess_notByAuthorizedCaller() throws Exception {
@@ -5151,20 +5151,20 @@
configureContextForAccess(mContext, false);
assertExpectException(SecurityException.class, /* messageRegex= */ null,
- () -> dpm.setProfileOwnerCanAccessDeviceIds(admin1));
+ () -> dpm.markProfileOwnerOnOrganizationOwnedDevice(admin1));
}
public void testGrantDeviceIdsAccess_byAuthorizedSystemCaller() throws Exception {
setupProfileOwner();
// This method will throw if the system context could not call
- // setProfileOwnerCanAccessDeviceIds successfully.
- configureProfileOwnerForDeviceIdAccess(admin1, DpmMockContext.CALLER_USER_HANDLE);
+ // markProfileOwnerOfOrganizationOwnedDevice successfully.
+ configureProfileOwnerOfOrgOwnedDevice(admin1, DpmMockContext.CALLER_USER_HANDLE);
}
private void configureContextForAccess(DpmMockContext context, boolean granted) {
when(context.spiedContext.checkCallingPermission(
- android.Manifest.permission.GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS))
+ permission.MARK_DEVICE_ORGANIZATION_OWNED))
.thenReturn(granted ? PackageManager.PERMISSION_GRANTED
: PackageManager.PERMISSION_DENIED);
@@ -5183,7 +5183,7 @@
DpmMockContext.CALLER_MANAGED_PROVISIONING_UID);
try {
runAsCaller(mServiceContext, dpms, dpm -> {
- dpm.setProfileOwnerCanAccessDeviceIds(admin1);
+ dpm.markProfileOwnerOnOrganizationOwnedDevice(admin1);
});
} finally {
mServiceContext.binder.restoreCallingIdentity(ident);
@@ -5221,7 +5221,7 @@
admin1.getPackageName(), DpmMockContext.CALLER_SYSTEM_USER_UID));
setupProfileOwner();
- configureProfileOwnerForDeviceIdAccess(admin1, DpmMockContext.CALLER_USER_HANDLE);
+ configureProfileOwnerOfOrgOwnedDevice(admin1, DpmMockContext.CALLER_USER_HANDLE);
// The profile owner is allowed to request Device ID attestation.
mServiceContext.binder.callingUid = DpmMockContext.CALLER_UID;
@@ -5258,7 +5258,7 @@
dpm -> dpm.setDelegatedScopes(admin1, DpmMockContext.DELEGATE_PACKAGE_NAME,
Arrays.asList(DELEGATION_CERT_INSTALL)));
- configureProfileOwnerForDeviceIdAccess(admin1, DpmMockContext.CALLER_USER_HANDLE);
+ configureProfileOwnerOfOrgOwnedDevice(admin1, DpmMockContext.CALLER_USER_HANDLE);
// Make sure that the profile owner can still request Device ID attestation.
mServiceContext.binder.callingUid = DpmMockContext.CALLER_UID;
@@ -5435,15 +5435,16 @@
assertTrue(dpm.isPackageAllowedToAccessCalendar(testPackage));
}
- private void configureProfileOwnerForDeviceIdAccess(ComponentName who, int userId) {
+ private void configureProfileOwnerOfOrgOwnedDevice(ComponentName who, int userId) {
when(getServices().userManager.getProfileParent(eq(UserHandle.of(userId))))
.thenReturn(UserHandle.SYSTEM);
-
final long ident = mServiceContext.binder.clearCallingIdentity();
mServiceContext.binder.callingUid =
UserHandle.getUid(DpmMockContext.CALLER_USER_HANDLE, DpmMockContext.SYSTEM_UID);
+
+ configureContextForAccess(mServiceContext, true);
runAsCaller(mServiceContext, dpms, dpm -> {
- dpm.setProfileOwnerCanAccessDeviceIds(who);
+ dpm.markProfileOwnerOnOrganizationOwnedDevice(who);
});
mServiceContext.binder.restoreCallingIdentity(ident);
}